Headline
GHSA-w7v9-fc49-4qg4: org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki Eval Injection vulnerability
Impact
Any user with view rights WikiManager.DeleteWiki can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the wikiId url parameter.
A proof of concept exploit is to open <xwiki-host>/xwiki/bin/view/WikiManager/DeleteWiki?wikiId=%22+%2F%7D%7D+%7B%7Basync+async%3D%22true%22+cached%3D%22false%22+context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+groovy%21%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D where <xwiki-host> is the URL of your XWiki installation.
Patches
The problem has been patched on XWiki 13.10.11, 14.4.7, and 14.10.
Workarounds
The issue can be fixed manually applying this patch.
References
- https://jira.xwiki.org/browse/XWIKI-20297
- https://github.com/xwiki/xwiki-platform/commit/ba4c76265b0b8a5e2218be400d18f08393fe1428#diff-64f39f5f2cc8c6560a44e21a5cfd509ef00e8a2157cd9847c9940a2e08ea43d1R63-R64
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
Package
maven org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki (Maven)
Affected versions
>= 5.3-milestone-2, < 13.10.11
>= 14.0-rc-1, < 14.4.7
>= 14.5, < 14.10
Patched versions
13.10.11
14.4.7
14.10
Description
Impact
Any user with view rights WikiManager.DeleteWiki can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the wikiId url parameter.
A proof of concept exploit is to open /xwiki/bin/view/WikiManager/DeleteWiki?wikiId=%22+%2F%7D%7D+%7B%7Basync+async%3D%22true%22+cached%3D%22false%22+context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+groovy%21%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D where is the URL of your XWiki installation.
Patches
The problem has been patched on XWiki 13.10.11, 14.4.7, and 14.10.
Workarounds
The issue can be fixed manually applying this patch.
References
- https://jira.xwiki.org/browse/XWIKI-20297
- xwiki/xwiki-platform@ba4c762#diff-64f39f5f2cc8c6560a44e21a5cfd509ef00e8a2157cd9847c9940a2e08ea43d1R63-R64
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
References
- GHSA-w7v9-fc49-4qg4
- xwiki/xwiki-platform@ba4c762#diff-64f39f5f2cc8c6560a44e21a5cfd509ef00e8a2157cd9847c9940a2e08ea43d1R63-R64
- https://jira.xwiki.org/browse/XWIKI-20297
tmortagne published to xwiki/xwiki-platform
Apr 12, 2023
Published to the GitHub Advisory Database
Apr 12, 2023
Reviewed
Apr 12, 2023
Last updated
Apr 12, 2023
Related news
XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights `WikiManager.DeleteWiki` can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the `wikiId` url parameter. The problem has been patched on XWiki 13.10.11, 14.4.7, and 14.10.